I am new to configuring Application Security Profiles. I have a few that are built and that are currently in learning mode (not blocking).
1. How long should I leave these in learning?
2. The suggestions that are offered... what percentage of "Learning Score" is okay to accept? Anything above 70%, 80%, 90%?
I found that the learning mode can be set to manual, automatic, or disabled. The manual mode takes more time to manage and requires the administrator to understand the risks. All suggestions in manual mode must be accepted, deleted or ignored by the administrator.
Automatic learning mode will apply the suggestions without the need of the administrator to approve the suggestion. This requires less maintenance from the admin. The downside of automatic learning is a suggestion could be applied that you do not want.
The answer is "it depends" as you need to understand your application - e.g. is it an application which changes rarely (e.g. once a year) or an application which changes weekly/daily? Do you have access to developers/architects which can advise you on how the application works or is it a 3rd-party application?
It is advisable to learn the application in test environment, not in production - if you enable learning in production the risk is that ASM will learn all the attacks as legitimate traffic.
Do you know if the application has known vulnerabilities and if penetration testing has been done?
A good way to start protecting an application if it has known vulnerabilities is to get a copy of vulnerability scan report (in XML) an import that into the policy as ASM will be protecting the specific URLs and parameters which have known vulnerabilities. That will be more efficient than trying to "learn" it.
The best way of course is to get an application security consultant who can build an ASM policy manually for you with application-specific protections.